UPDATE: Andrej from Noovo writes in the comments below that they have modified Noovo’s UI flow so that the selection of contacts for invitation to their service is now more clearly defined.  Thankfully, this post is now history and lessons learned.

I thought about sending this feedback directly to Noovo but it’s important to warn others and also have a place to point all the people who have received Noovo’s auto-invite and replied back to me, “is this real?” If and when Noovo modifies their sign-up flow to address the concerns I’ve outlined below, I will happily update this post.

When I sign up to test out new service, I take care to not let the service email my contacts with spammy invites. Yesterday they got me and I ended up inviting all my friends to a service I was only testing out, embarrassing me and turning me off from spending more time with the service to figure it out. Crafty placement and defaults were to blame.

The first thing Noovo does is ask you for your Facebook credentials. There’s small text in the upper right corner says “skip” – most wouldn’t notice this making it seem like handing over your Facebook account is a requirement.

Next they present the standard, “Login with your favorite service to see if your friends are already using us” screen. There is even some text at the bottom, We do not store your login details nor do we use them for any other purpose than to retrieve your contacts.

This is the real sneaky one. I’ve already fallen into this trap so I can’t show you what the screen looked like before (the above is from a second account) but imagine this. I logged in with my Gmail credentials, was redirected to a page on google.com confirming that I was giving one-time access to Noovo to read my contacts file.

I then got a version of the screen you see above that had 10 or so contacts in the blue portion, these are people already registered on Noovo that I could connect to. But, because I had several lines of people already on the service, it completely hid the contacts that were not on the service and were checked by default to be sent and invitation to the service once I clicked “Next”

Two things.

a. Noovo never said they would use my credentials to send out invitations, just to retrieve contacts.

b. By hiding the list of invited contacts checked off below the screen, there is no way I would know unless I saw the scroll bar on the right of the screen.

4. The email invite was a real work of social engineering as well. Please respond or ian kennedy may think you said No. I would have deleted my account off of Noovo but I don’t want people accepting my invite only to find that I’m not there. Laying the guilt trip on me and my friends is not the way to entice people to join your site.

Way to make my days guys. I’ve been spending all afternoon explaining to everyone what happened.